Internet explorer re-direct using paypal

[lt1bird]

When ever i go to www.paypal.com my IE browser is hijacked and a fake paypal webpage requesting lots of personnel info is displayed. Looks exactly like the real thing. A S&D scan plus a Virus scan does not turn up anything. Does not do it in netscape! Iv'e dont some searching, some folks say the trogan modifyed the dns server with keywords so any time I type paypal in it changes it. It also does it on AOL!! very very slick....How can I fix this or anyone point me in the right direction?
Thanks eveyone

Dan

 

[Shaba]

Hi lt1bird

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

[lt1bird]

Please see HJT log below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:18 AM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton antivirus\defwatch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton antivirus\vptray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
c:\program files\oem\msaspgh\msaspghost.exe
C:\Program Files\Norton antivirus\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dynotunenitrous.com/store/Scripts/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Ricavision.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.dynotunenitrous.com"); (C:\Documents and Settings\DAN\Application Data\Mozilla\Profiles\default\hc20xohv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAN\Application Data\Mozilla\Profiles\default\hc20xohv.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton antivirus\vptray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Hot Keyboard] C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe -minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Assign &hot key - C:\Program Files\Hot Keyboard Pro1\IEScript.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Handle with &Hot Keyboard - I:\hot keys\Hot Keyboard Pro\IEScript.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.Ricavision.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Norton antivirus\defwatch.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MEls - Unknown owner - C:\Program Files\CoCreate\MEls\MEls32.exe
O23 - Service: MSAS Plugin Host Service (MSASPGHost) - OEM - c:\program files\oem\msaspgh\msaspghost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Norton antivirus\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SDserver2006 - CoCreate Software GmbH - C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe

--
End of file - 6889 bytes

 

[Shaba]

Hi

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

c:\program files\oem\msaspgh\msaspghost.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

 

[lt1bird]

jotti scan:



File: msaspghost.exe
Status:
OK
MD5: b7932795958357d15e492b7d13f671c3

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

 

[Shaba]

Hi

Do you recognize this file?

c:\program files\oem\msaspgh\msaspghost.exe

 

[lt1bird]

Not sure if this lower section was needed:

A-Squared X
AntiVir HEUR/Crypted
ArcaVir Heur.Win32.I
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web Adware.Duncan.origin
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Suspect code-parts
Kaspersky Anti-Virus X
NOD32 probably a variant of Win32/TrojanDownloader.ConHook.AA
Norman Virus Control W32/Suspicious_U.gen
Panda Antivirus X
Sophos Antivirus Mal/EncPk-AU
VirusBuster X
VBA32 Embedded.Trojan-Downloader.Win32.ConHook.ep

 

[lt1bird]

says it was created in 2004.....looks like a windows media center file...Not sure what it does....

 

[lt1bird]

when the problem started, my internet was not working. Everything was working but it would not connect....I disabled the onboard ethernet card and am using an external usb to eithernet box. Also, my delete key does not work in IE, only in netscape.

 

[Shaba]

Hi

I see.

Does IE still re-direct? And does Firefox too?

 

[lt1bird]

IE redirects most of the time(paypal). Netscape never does......seems fine

Thanks for the help

 

[Shaba]

Hi

Download HostsXpert and unzip it to your desktop.

Open HostsXpert that you earlier unzipped on your desktop

• Click "Make Hosts Writable?" upper left corner (if available)
• Click "Restore MS Hosts File" and then click OK
• Close HostsXpert

Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually

And tell me if it helped

 

[lt1bird]

did not help..... still re-directed to the fake ebay page. no delete key...

 

[Shaba]

Hi

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.

 

[lt1bird]

main.txt

Deckard's System Scanner v20071014.68
Run by Dan on 2008-05-31 14:01:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-05-31 18:02:03 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2008-05-30 21:29:46 UTC - RP8 - Software Distribution Service 3.0
7: 2008-05-30 10:47:31 UTC - RP7 - Software Distribution Service 3.0
6: 2008-05-30 10:29:28 UTC - RP6 - Installed Windows Internet Explorer 7.
5: 2008-05-30 10:28:28 UTC - RP5 - Installed Windows IDNMitigationAPIs.


-- First Restore Point --
1: 2008-05-28 21:04:20 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Dan.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:31 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton antivirus\defwatch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton antivirus\vptray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
c:\program files\oem\msaspgh\msaspghost.exe
C:\Program Files\Norton antivirus\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dan.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dynotunenitrous.com/store/Scripts/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Ricavision.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.dynotunenitrous.com"); (C:\Documents and Settings\DAN\Application Data\Mozilla\Profiles\default\hc20xohv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAN\Application Data\Mozilla\Profiles\default\hc20xohv.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton antivirus\vptray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Hot Keyboard] C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe -minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Assign &hot key - C:\Program Files\Hot Keyboard Pro1\IEScript.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Handle with &Hot Keyboard - I:\hot keys\Hot Keyboard Pro\IEScript.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.Ricavision.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Norton antivirus\defwatch.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MEls - Unknown owner - C:\Program Files\CoCreate\MEls\MEls32.exe
O23 - Service: MSAS Plugin Host Service (MSASPGHost) - OEM - c:\program files\oem\msaspgh\msaspghost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Norton antivirus\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SDserver2006 - CoCreate Software GmbH - C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe

--
End of file - 6919 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADLTScript - shell\open\command - C:\WINDOWS\NOTEPAD.EXE "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780} - c:\windows\temp\521.tmp (file missing)
S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - d:\instal~e\core\bvrpmpr5.sys (file missing)
S3 WinDriver6 (Alohabob USB Bridge Cable Driver) - c:\windows\system32\drivers\windrvr6.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MSASPGHost (MSAS Plugin Host Service) - c:\program files\oem\msaspgh\msaspghost.exe <Not Verified; OEM; MSASPGH>
R2 SDserver2006 - c:\program files\cocreate\osdm_server_2006\sdserver.exe <Not Verified; CoCreate Software GmbH; CoCreate OneSpace Designer Modeling SDserver>

S2 MEls - "c:\program files\cocreate\mels\mels32.exe"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-24 18:29:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-30 and 2008-05-31 -----------------------------

2008-05-31 09:47:48 0 d-------- C:\Program Files\Trend Micro
2008-05-29 09:13:10 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-27 09:47:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 22:53:50 0 d-------- C:\Program Files\Spyware Doctor
2008-05-26 22:53:50 0 d-------- C:\Documents and Settings\Dan\Application Data\PC Tools
2008-05-24 22:35:06 0 d--hs---- C:\WINDOWS\CSC
2008-05-06 08:00:35 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 08:00:15 0 d-------- C:\Program Files\ClickyMouse


-- Find3M Report ---------------------------------------------------------------

2008-05-26 21:43:42 0 d-------- C:\Program Files\WSFTPPro
2008-05-26 21:43:42 0 d-------- C:\Program Files\WS_FTP Pro
2008-05-26 21:43:42 0 d-------- C:\Program Files\TFIcoder
2008-05-26 21:43:41 0 d-------- C:\Program Files\Quicken
2008-05-26 21:43:41 0 d-------- C:\Program Files\ProductViewExpress
2008-05-26 21:43:40 0 d-------- C:\Program Files\Messenger
2008-05-26 21:43:40 0 d-------- C:\Program Files\MCE Information
2008-05-26 21:43:40 0 d-------- C:\Program Files\KPT Filters Setup Files
2008-05-26 21:43:39 0 d-------- C:\Program Files\AutoCAD LT 97
2008-05-26 21:43:36 0 d-------- C:\Program Files\Alibre Design
2008-05-26 09:31:55 0 d-------- C:\Program Files\Java
2008-04-15 19:03:11 0 d-------- C:\Documents and Settings\Dan\Application Data\Apple Computer
2008-04-15 19:00:06 0 d-------- C:\Program Files\QuickTime
2008-04-15 18:59:13 0 d-------- C:\Program Files\Apple Software Update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 07:04 AM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 08:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"Alcmtr"="ALCMTR.EXE" [04/12/2005 04:10 AM C:\WINDOWS\ALCMTR.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 01:50 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02/24/2005 10:32 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [02/24/2005 10:32 AM]
"@"="" []
"vptray"="C:\Program Files\Norton antivirus\vptray.exe" [12/05/2001 12:53 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [01/12/2007 06:45 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 04:06 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Keyboard"="C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe" [03/22/2006 10:11 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 01/12/2007 06:45 PM 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe
"EPSON Stylus CX7800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800"
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"RTHDCPL"=RTHDCPL.EXE
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"USSShReg"=C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe /r


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f3c8e70-ff09-11da-91b2-00018060c9c7}]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-05-31 14:05:15
-------------------------------------------------------------------

















extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) D CPU 2.80GHz
CPU 1: Intel(R) Pentium(R) D CPU 2.80GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 1023.48 MiB / 441.04 MiB
Pagefile Memory (total/avail): 2461.79 MiB / 1830.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.82 MiB

C: is Fixed (NTFS) - 229.83 GiB total, 207.33 GiB free.
D: is CDROM (Unformatted)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3250823AS - 232.88 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 229.83 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 3.05 GiB

\\.\PHYSICALDRIVE5 - EPSON Stylus Storage USB Device

\\.\PHYSICALDRIVE2 - GENERIC USB Storage-CFC USB Device

\\.\PHYSICALDRIVE4 - GENERIC USB Storage-MSC USB Device

\\.\PHYSICALDRIVE3 - GENERIC USB Storage-SDC USB Device

\\.\PHYSICALDRIVE1 - GENERIC USB Storage-SMC USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dan\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DYNOTUNE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dan
LOGONSERVER=\\DYNOTUNE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
PVX_INSTALL_DIR=C:\Program Files\ProductViewExpress\
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dan\LOCALS~1\Temp
USERDOMAIN=DYNOTUNE
USERNAME=Dan
USERPROFILE=C:\Documents and Settings\Dan
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dan (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WS_FTP Pro\uninst.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Alibre Design --> MsiExec.exe /X{47F21113-0D9A-11D5-8132-00C04FA0998D}
AOpen VA2000 WDM Drivers --> C:\WINDOWS\c8xunist.exe
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\Setup.exe" -l0x9
AutoCAD LT 97 --> C:\WINDOWS\acremen.exe ACLT-2453694:24069250
Canon CanoScan Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\setup.exe" -l0x9
CircuitMaker 6 Student --> C:\WINDOWS\IsUninst.exe -fC:\CM60S\Uninst.isu
CoCreate License Server 14.0.1 --> MsiExec.exe /I{E462A9AD-3376-4362-92CA-832E0F58C6CC}
CoCreate OneSpace Designer Library3D 2006 --> MsiExec.exe /I{3E7F87D4-0F60-420D-AF47-6AE56ACB4B81}
CoCreate OneSpace Designer Modeling 2006 --> MsiExec.exe /I{514405D1-B3DE-482F-90EC-29D9272F2424}
CoCreate OneSpace Designer Modeling Server 2006 --> MsiExec.exe /I{3073E61D-DA27-4426-88E7-DD77A56393DF}
CoCreate OneSpace Modeling Personal Edition --> MsiExec.exe /I{08FF29BE-1E8E-40A5-9C71-F164D06E35E0}
CoCreate OneSpace.net Application Manager --> MsiExec.exe /I{19AB78AC-18D1-4DAD-B660-1ACAB3C84871}
CoCreate OneSpace.net Runtime Environment --> MsiExec.exe /I{1711F1C9-FEC9-4549-A917-D90D3A862B29}
CorelDRAW Graphics Suite 12 --> MsiExec.exe /I{505AFDC0-5E72-4928-8368-5DEA385E3647}
DWGeditor --> MsiExec.exe /X{1CECDCCE-1D2D-46E8-9F02-CCFC93120B55}
Dynojet Display File Manager 1.0.2 --> "C:\Dynojet Display File Manager\unins000.exe"
eDrawings 2006 --> MsiExec.exe /I{E44895E5-15CA-48CB-B136-707E5183BEF3}
eMachineShop --> C:\PROGRA~1\EMACHI~1\UNWISE.EXE C:\PROGRA~1\EMACHI~1\INSTALL.LOG
EPSON CX 7800 Guide --> C:\Program Files\epson\guide\cx7800_e\uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
FTDI USB Serial Converter Drivers --> C:\WINDOWS\system32\ftdiunin.exe C:\WINDOWS\system32\ftdiun2k.ini
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
GoToMyPC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F4D4FD-1814-4068-B316-C28FC776C6DD}\Setup.exe" -l0x9 AddRemovePrograms
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hot Keyboard Pro 2.8 --> "C:\Program Files\Hot Keyboard Pro1\unins000.exe"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iPod for Windows 2005-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033
Ipswitch WS_FTP Pro --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\WS_FTP Pro\uninst.isu" -c"C:\Program Files\WS_FTP Pro\FTPInstUtils.dll"
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3CB41017-F5CA-4C56-934C-ED02156251E6}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
KPT(R) Collection --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Corel\Corel Graphics 12\Plugins\KPT Collection\KPT Collection.isu"
LiveUpdate 1.7 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Lotus SmartSuite - English --> MsiExec.exe /I{536D6172-7453-7569-7465-392E36300409}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
MSASPGH --> MsiExec.exe /I{F6D70B45-0CF0-4B15-A0D9-ED839334F2EA}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
Nikon Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe" -l0x9 UNINSTALL
Norton AntiVirus Corporate Edition --> MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
PictureProject --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
Power Commander 3 USB --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{212ADFE3-0EA7-4670-B629-058A6CF3C58E} AnyText
Power Commander Control Center 3.2.0 (Test Build 1) --> "c:\junk\unins000.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PTC ProductView Express - Wildfire 2.0 (F000) --> MsiExec.exe /I{EBD42841-D78D-419D-A1D1-7DA28D74AEBC}
QuickBooks Basic 2002 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{809987B2-F964-11D4-A1A5-00104BD190B1}\setup.exe" -addremove
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
S800 --> C:\WINDOWS\system32\CNMCP2T.EXE -@C:\WINDOWS\IsUninst.exe -f"C:\BJPrinter\CNMWINDOWS\Canon S800 Installer\Inst\DeIsL1.isu" -pCanon S800-c"C:\BJPrinter\CNMWINDOWS\Canon S800 Installer\Inst\bjinst.dll
SolidWorks 2006 Personal Edition --> MsiExec.exe /X{8B9C4F8A-9F75-42BB-9852-39C3467E5997}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
TFI CODER v1.6 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\TFIcoder\ST6UNST.LOG"
Turbo Lister --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{99CC78D1-2356-497C-84C1-F239884001EC}
TurboCAD Professional v12 --> MsiExec.exe /I{B5EA8C2D-2F23-4087-8CFD-AA6FF8832831}
Two Stroke Engine Expansion Chamber Design Utility --> C:\WINDOWS\st6unst.exe -n "c:\Pipe_Dsn\ST6UNST.LOG"
Ulead PhotoImpact 4.0 --> C:\WINDOWS\Upi41002.exe /f:upi41002.inf
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369) --> C:\WINDOWS\$NtUninstallMC05Upd1$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB888316 --> C:\WINDOWS\$NtUninstallKB888316$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB890629 -->
Windows XP Media Center Edition 2005 KB890760 --> C:\WINDOWS\$NtUninstallKB890760$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB895678 --> C:\WINDOWS\$NtUninstallKB895678$\spuninst\spuninst.exe
WinZip --> C:\Program Files\WinZip\WINZIP32.EXE /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type4282 / Error
Event Submitted/Written: 05/30/2008 05:32:51 PM
Event ID/Source: 0 / MEls
Event Description:
No device (LAN:0-LAN:255, COM1-COM255) found which match the given Lan id 0x00018060c9c7

Event Record #/Type4279 / Warning
Event Submitted/Written: 05/30/2008 05:31:12 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type4276 / Error
Event Submitted/Written: 05/30/2008 07:18:55 AM
Event ID/Source: 0 / MEls
Event Description:
No device (LAN:0-LAN:255, COM1-COM255) found which match the given Lan id 0x00018060c9c7

Event Record #/Type4273 / Warning
Event Submitted/Written: 05/30/2008 07:17:08 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type4272 / Error
Event Submitted/Written: 05/30/2008 06:45:29 AM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 739006850.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type25980 / Error
Event Submitted/Written: 05/30/2008 05:33:00 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The MEls service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type25936 / Error
Event Submitted/Written: 05/30/2008 07:18:59 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The MEls service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type25906 / Error
Event Submitted/Written: 05/30/2008 06:39:31 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The MEls service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type25895 / Warning
Event Submitted/Written: 05/29/2008 08:24:12 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type25870 / Error
Event Submitted/Written: 05/28/2008 04:56:27 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The MEls service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-05-31 14:05:15 ------------

 

[Shaba]

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

 

[lt1bird]

it produced a log on the screen, Thought it was done...Copied the log and closed it. There are no icons on my computer. Is it still running? I looked for the processes findstr, find, sed, swreg but none are listed.

Im on my wifes pc now..... what should I do?
Thanks!
Dan

 

[lt1bird]

Was I supose to shut off all my virus stuff and firewalls???
the conbfix tutorial said that...missed that step as S&D was poping up, I said to acept the changes....

 

[lt1bird]

Restarted the pc.... should I turn off tea timer and re-run combofix?

 

[lt1bird]

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:33 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton antivirus\defwatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton antivirus\vptray.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
c:\program files\oem\msaspgh\msaspghost.exe
C:\Program Files\Norton antivirus\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dynotunenitrous.com/store/Scripts/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.dynotunenitrous.com"); (C:\Documents and Settings\DAN\Application Data\Mozilla\Profiles\default\hc20xohv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAN\Application Data\Mozilla\Profiles\default\hc20xohv.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton antivirus\vptray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Hot Keyboard] C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe -minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Assign &hot key - C:\Program Files\Hot Keyboard Pro1\IEScript.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Handle with &Hot Keyboard - I:\hot keys\Hot Keyboard Pro\IEScript.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.Ricavision.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Norton antivirus\defwatch.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MEls - Unknown owner - C:\Program Files\CoCreate\MEls\MEls32.exe
O23 - Service: MSAS Plugin Host Service (MSASPGHost) - OEM - c:\program files\oem\msaspgh\msaspghost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Norton antivirus\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SDserver2006 - CoCreate Software GmbH - C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe

--
End of file - 6998 bytes






















Combofix with tea timer on
ComboFix 08-05-29.1 - Dan 2008-05-31 14:26:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.487 [GMT -4:00]
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-31 14:01 . 2008-05-31 14:01 <DIR> d-------- C:\Deckard
2008-05-31 09:47 . 2008-05-31 09:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 10:11 . 2008-03-01 09:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-30 10:11 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-30 10:11 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-30 10:11 . 2008-03-01 09:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-30 10:11 . 2008-03-01 09:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-30 10:11 . 2008-03-01 09:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-30 10:11 . 2008-03-01 09:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-30 10:11 . 2008-03-01 09:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-30 10:11 . 2008-02-22 06:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-29 09:13 . 2008-05-29 09:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-27 09:47 . 2008-05-27 09:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-27 09:47 . 2008-05-27 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 22:54 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-26 22:54 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-26 22:54 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-26 22:54 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-26 22:53 . 2008-05-29 05:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-26 22:53 . 2008-05-26 22:53 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\PC Tools
2008-05-25 17:09 . 2007-07-26 22:08 19,072 -ra------ C:\WINDOWS\system32\drivers\ax88772.sys
2008-05-06 08:00 . 2008-05-06 08:20 <DIR> d-------- C:\Program Files\ClickyMouse
2008-05-06 08:00 . 2008-05-30 17:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 18:59 . 2008-04-15 19:00 <DIR> d-------- C:\Program Files\QuickTime
2008-04-15 18:59 . 2008-04-15 18:59 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-15 18:59 . 2008-04-15 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 01:43 --------- d-----w C:\Program Files\WSFTPPro
2008-05-27 01:43 --------- d-----w C:\Program Files\WS_FTP Pro
2008-05-27 01:43 --------- d-----w C:\Program Files\TFIcoder
2008-05-27 01:43 --------- d-----w C:\Program Files\Quicken
2008-05-27 01:43 --------- d-----w C:\Program Files\ProductViewExpress
2008-05-27 01:43 --------- d-----w C:\Program Files\MCE Information
2008-05-27 01:43 --------- d-----w C:\Program Files\KPT Filters Setup Files
2008-05-27 01:43 --------- d-----w C:\Program Files\AutoCAD LT 97
2008-05-27 01:43 --------- d-----w C:\Program Files\Alibre Design
2008-05-26 13:31 --------- d-----w C:\Program Files\Java
2008-04-15 23:03 --------- d-----w C:\Documents and Settings\Dan\Application Data\Apple Computer
2008-04-15 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-02-28 04:10 722,176 ----a-w C:\Documents and Settings\Dan\gotomypc_428.exe
2006-01-06 03:38 56 --sh--r C:\WINDOWS\system32\D5063700E1.sys
2006-01-06 03:38 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Keyboard"="C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe" [2006-03-22 22:11 612056]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 07:04 59392]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 20:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 10:32 5537792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 10:32 86016]
"vptray"="C:\Program Files\Norton antivirus\vptray.exe" [2001-12-05 12:53 73728]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 18:45 249904]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-01-12 18:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe
"EPSON Stylus CX7800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800"
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"RTHDCPL"=RTHDCPL.EXE
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"USSShReg"=C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe /r

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 CXAVSAUD;AOpen VA2000 Audio Capture;C:\WINDOWS\system32\DRIVERS\cxavsaud.sys [2005-08-11 14:38]
R2 MSASPGHost;MSAS Plugin Host Service;c:\program files\oem\msaspgh\msaspghost.exe [2004-09-09 18:43]
R2 SDserver2006;SDserver2006;C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe [2006-10-18 19:21]
R3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2007-07-26 22:08]
S2 MEls;MEls;"C:\Program Files\CoCreate\MEls\MEls32.exe" [2006-03-01 16:26]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\WINDOWS\TEMP\521.tmp []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f3c8e70-ff09-11da-91b2-00018060c9c7}]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 22:29:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 14:30:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\C:\WINDOWS\TEMP\521.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-05-31 14:31:50
ComboFix-quarantined-files.txt 2008-05-31 18:31:46

Pre-Run: 222,524,030,976 bytes free
Post-Run: 222,550,732,800 bytes free

138 --- E O F --- 2008-05-30 21:30:56



still redirecting the paypal page...